Netapp ONTAP 8.3.1. NFS hardening

[ Edited ]



we have a nice netapp cluster with 8.3.1 running.

We have multiple vservers for NFS iscsci and CIFS. I am running into the following problem.

A linux coworker of mine is able to mount all the NFS volumes on my filers within /

We have NFS export policies enabled with allows servers in 2 vlans with acces to certain mounts.

However, my coworker can mount / and see all the mounts on the filers.(because he is in one of the 2 vlans)

How can I disable this? The volumes are all mounted under namespaces under /.

So if I remove the export rights of / all the other volumes beneath / will also be unmountable?



Re: Netapp ONTAP 8.3.1. NFS hardening

do I even need an export policy on the / ?

(or a blank one)

Re: Netapp ONTAP 8.3.1. NFS hardening

Yes, you do. Clients must be able to traverse junction tree starting from the top (i.e. "/"), which means "/" must allow at least read-only mount. The only way to harden it would be to restrict visibility of files/directories under "/", so that even if clients mount it, they won't be able to see its content.

Re: Netapp ONTAP 8.3.1. NFS hardening

thanks for your reply!

How can I make it invisible under /?



Re: Netapp ONTAP 8.3.1. NFS hardening

Set "/" unix-permissions to something like 0711 (of course make sure owner is root) and create mninimal export-policy that only allows ro mount, but no rw, no root etc. Then nobody can list content of /, but still explicitly enter subvolumes or mount them.